Error renewing SSL

vabril · January 1, 2021, 1:45am

ok, what should I change?

griffin · January 1, 2021, 1:46am

First, let's rename this:

/etc/letsencrypt/live/online.cdiu.university

to this:

/etc/letsencrypt/live/online.cdiu.university-0001

Then let's see the output of these:
ls -l /etc/letsencrypt/live
ls -l /etc/letsencrypt/archive

vabril · January 1, 2021, 1:50am

ok ready;

root@online:/etc/letsencrypt/live# ls -lrht online.cdiu.university-001
total 4.0K
-rw-r--r-- 1 root root 692 Oct 8 12:43 README
lrwxrwxrwx 1 root root 54 Jan 1 00:59 privkey.pem -> ../../archive/online.cdiu.university-0001/privkey1.pem
lrwxrwxrwx 1 root root 56 Jan 1 00:59 fullchain.pem -> ../../archive/online.cdiu.university-0001/fullchain1.pem
lrwxrwxrwx 1 root root 52 Jan 1 00:59 chain.pem -> ../../archive/online.cdiu.university-0001/chain1.pem
lrwxrwxrwx 1 root root 51 Jan 1 00:59 cert.pem -> ../../archive/online.cdiu.university-0001/cert1.pem
root@online:/etc/letsencrypt/live# ls -l /etc/letsencrypt/live
total 20
drwxr-xr-x 2 root root 4096 Jul 9 02:43 ORIG-online.cdiu.university
-rw-r--r-- 1 root root 740 Jul 9 02:43 README
drwxr-xr-x 2 root root 4096 Oct 8 12:43 online.cdiu.university-0001-ORIG-renewed
drwxr-xr-x 2 root root 4096 Jan 1 00:59 online.cdiu.university-001
drwxr-xr-x 2 root root 4096 Jan 1 00:59 online.cdiu.university-12-31-2020
root@online:/etc/letsencrypt/live# ls -l /etc/letsencrypt/archive
total 8
drwxr-xr-x 2 root root 4096 Jan 1 00:59 online.cdiu.university
drwxr-xr-x 2 root root 4096 Oct 8 12:43 online.cdiu.university-0001

griffin · January 1, 2021, 1:51am

You missed a 0 in the renaming.

Should be 0001, not 001

Once you've fixed that, let's see this:

ls -l /etc/letsencrypt/archive/online.cdiu.university-0001

vabril · January 1, 2021, 1:54am

Ok I did moved to 0001
I try to reload and It come up like this
root@online:/etc/letsencrypt/live# sudo systemctl reload nginx
Job for nginx.service failed.
See "systemctl status nginx.service" and "journalctl -xe" for details.
root@online:/etc/letsencrypt/live# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-12-28 19:47:53 UTC; 3 days ago
Docs: man:nginx(8)
Process: 1387 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1400 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 102702 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=1/FAILURE)
Main PID: 1401 (nginx)
Tasks: 3 (limit: 4567)
Memory: 10.0M
CGroup: /system.slice/nginx.service
├─ 1401 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─92540 nginx: worker process
└─92541 nginx: worker process

Jan 01 01:51:04 online.cdiu.university systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 01 01:51:04 online.cdiu.university systemd[1]: Reload failed for A high performance web server and a reverse proxy server.
Jan 01 01:51:31 online.cdiu.university systemd[1]: Reloading A high performance web server and a reverse proxy server.
Jan 01 01:51:31 online.cdiu.university nginx[102661]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/online.cdiu.university/fullchain.pem": B>
Jan 01 01:51:31 online.cdiu.university systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 01 01:51:31 online.cdiu.university systemd[1]: Reload failed for A high performance web server and a reverse proxy server.
Jan 01 01:52:40 online.cdiu.university systemd[1]: Reloading A high performance web server and a reverse proxy server.
Jan 01 01:52:40 online.cdiu.university nginx[102702]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/online.cdiu.university/fullchain.pem": B>
Jan 01 01:52:40 online.cdiu.university systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 01 01:52:40 online.cdiu.university systemd[1]: Reload failed for A high performance web server and a reverse proxy server.

griffin · January 1, 2021, 1:54am

You didn't want to reload yet...

griffin · January 1, 2021, 1:55am

Let's get the clean certificate together...

What says:

certbot certificates

vabril · January 1, 2021, 1:56am

root@online:/etc/letsencrypt/live# ls -l /etc/letsencrypt/archive/online.cdiu.university-0001
total 16
-rw-r--r-- 1 root root 1927 Oct 8 12:43 cert1.pem
-rw-r--r-- 1 root root 1647 Oct 8 12:43 chain1.pem
-rw-r--r-- 1 root root 3574 Oct 8 12:43 fullchain1.pem
-rw------- 1 root root 1704 Oct 8 12:43 privkey1.pem

griffin · January 1, 2021, 1:57am

That looks good.

Now...

certbot certificates

vabril · January 1, 2021, 1:57am

root@online:/etc/letsencrypt/live# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/online.cdiu.university.conf produced an unexpected error: expected /etc/letsencrypt/live/online.cdiu.university/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: online.cdiu.university-0001
Domains: online.cdiu.university
Expiry Date: 2021-01-06 11:43:03+00:00 (VALID: 5 days)
Certificate Path: /etc/letsencrypt/live/online.cdiu.university-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/online.cdiu.university-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/online.cdiu.university.conf

root@online:/etc/letsencrypt/live#

griffin · January 1, 2021, 1:58am

Awesome. That's what I wanted to see.

Now...

What specific subdomain names do you want on the correct certificate? Only online.cdiu.university or also www.online.cdiu.university or ?

vabril · January 1, 2021, 2:00am

Ok, I really appreciate your time I hope we can fix it

vabril · January 1, 2021, 2:01am

I believe both, or online.cdiu.university
The way it is right now, how it was working I am OK with it

griffin · January 1, 2021, 2:03am

Let's get you both to be safe.

Do you manually fulfill a dns-01 challenge or an http-01 challenge, usually?

vabril · January 1, 2021, 2:06am

I do this certbot certonly --manual -d 'online.cdiu.university'
It ask me to create a file with a code

griffin · January 1, 2021, 2:07am

That's an http-01 challenge then. You'll need to create two files for this command...

certbot certonly --cert-name online.cdiu.university --manual -d "online.cdiu.university,www.online.cdiu.university"

vabril · January 1, 2021, 2:11am

root@online:/etc/letsencrypt/renewal# certbot certonly --cert-name online.cdiu.university --manual -d "online.cdiu.university,www.online.cdiu.university"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.online.cdiu.university

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: yes

Create a file containing just this data:

TyhYe0LsPLRyvFxIp7eH8kCFnDR802MwuiN5tiz7MGg.TN1Sg4Oum8V5xFrmA4AJ7uVkGY0yOt5vRipPrtDdKio

And make it available on your web server at this URL:

http://www.online.cdiu.university/.well-known/acme-challenge/TyhYe0LsPLRyvFxIp7eH8kCFnDR802MwuiN5tiz7MGg

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/online.cdiu.university-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/online.cdiu.university-0002/privkey.pem
Your cert will expire on 2021-04-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

griffin · January 1, 2021, 2:15am

That's... not quite what I expected.

Hmmm...

certbot certificates

vabril · January 1, 2021, 2:16am

root@online:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/online.cdiu.university.conf produced an unexpected error: expected /etc/letsencrypt/live/online.cdiu.university/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: online.cdiu.university-0001
Domains: online.cdiu.university
Expiry Date: 2021-01-06 11:43:03+00:00 (VALID: 5 days)
Certificate Path: /etc/letsencrypt/live/online.cdiu.university-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/online.cdiu.university-0001/privkey.pem
Certificate Name: online.cdiu.university-0002
Domains: online.cdiu.university www.online.cdiu.university
Expiry Date: 2021-04-01 01:10:53+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/online.cdiu.university-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/online.cdiu.university-0002/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/online.cdiu.university.conf

griffin · January 1, 2021, 2:19am

Let's do some housekeeping.

It looks like you created a "backup" folder named:

/etc/letsencrypt/live/online.cdiu.university-12-31-2020

Is this correct?